Requested and allowed cryptographic operations comparison

ABSTRACT

Embodiments herein relate to cryptographic operations. A process identifier (PID) identifying a process requesting a cryptographic operation is received. Next, at least one allowed cryptographic operation associated with the PID is determined. Then, the requested cryptographic operation is compared to the at least one allowed cryptographic operation, to determine if the requested cryptographic operation is allowable.

PRIORITY INFORMATION

This application claims the benefit of priority on U.S. ProvisionalApplication No. 61/509,078, filed Jul. 18, 2011, the entire contents ofwhich are incorporated herein in their entirety by reference.

BACKGROUND

A crypto process may access a crypto engine, to carry out acryptographic operation. Before the cryptographic operation can becarried out, the crypto process provides parameters to the cryptoengine, such as a mode and/or algorithm, as well as a key value. Thecrypto process may retrieve the key value from a separate location, suchas a key table. The key value may be associated with different types ofcryptographic operations and/or different processes. For example, thekey value may be associated only with some types of crypto processesand/or cryptographic operations. The key association may be set withinthe crypto process requesting the cryptographic operation itself or beenforced by another process.

However, security may be compromised if the key association is notsecurely maintained. For example, an unauthorized party may modify thekey association in order to carry out an unauthorized cryptographicoperation and/or allow access to the key value by an unauthorizedprocess. Manufacturers, vendors, and/or users are challenged to providemore secure methods for preserving key associations.

BRIEF DESCRIPTION OF THE DRAWINGS

The following detailed description references the drawings, wherein:

FIG. 1 is an example block diagram of a cryptographic device;

FIG. 2 is another example block diagram of a cryptographic device;

FIG. 3 is an example block diagram of a computing device includinginstructions for comparing requested and allowed cryptographicoperations; and

FIG. 4 is an example flowchart of a cryptographic method.

DETAILED DESCRIPTION

Specific details are given in the following description to provide athorough understanding of embodiments. However, it will be understood byone of ordinary skill in the art that embodiments may be practicedwithout these specific details. For example, systems may be shown inblock diagrams in order not to obscure embodiments in unnecessarydetail. In other instances, well-known processes, structures andtechniques may be shown without unnecessary detail in order to avoidobscuring embodiments.

A crypto process may seek to carry out a cryptographic operation, suchas encryption or decryption of information. Thus, the crypto process maysend cryptographic parameters, such as a type of algorithm, mode and/orkey value, to a crypto engine. For security reasons, use of the keyvalue may be restricted to only certain types of cryptographicoperations or crypto processes. These restrictions or attributes may beset in software, such as at the crypto process requesting thecryptographic operation itself or at another process.

However, security may be compromised if the process is accessed by anunauthorized user. For example, the key value may be leaked and/or theattributes associated therewith may be manipulated or ignored. As aresult, the unauthorized user may be able to carry out impropercryptographic operations and thus, for example, decrypt confidentialinformation.

Embodiments may reduce a likelihood of key values being exposed and/orattributes associated therewith from being violated. For example, anattribute module may receive a process identifier (PID) identifying aprocess requesting a cryptographic operation. Next, the attribute modulemay determine at least one allowed cryptographic operation associatedwith the PID. Then, a comparison module may compare the requestedcryptographic operation to the at least one allowed cryptographicoperation. If the requested cryptographic operation is allowable, thecomparison may signal a crypto module to carry out the requestedcryptographic operation. Otherwise, the requested cryptographicoperation will not be performed. Thus, an unauthorized cryptographicoperation may be prevented and security may be increased.

In one embodiment, the process may not have direct access to the keyvalue. Instead, the process may forward a key identifier (KID), to theattribute module. The attribute module may then retrieve the key valuebased on the KID, and forward the key value directly to the cryptomodule. Further, the attribute module may further filter the at leastone allowed cryptographic operation based on the KID. Thus, security maybe improved by not exposing the key value and/or the attributesassociated therewith to the process. Further, as the process does notforward the key value to the crypto module, a likelihood of the cryptomodule receiving an invalid key value from the process is also reduced.Further, by blocking visibility to the process of the attributesassociated with the key value, security may be improved by reducing alikelihood that a user knows all possible cryptographic operationsand/or processes associated with a key value.

In another embodiment, the attribute module and/or comparison module maybe implemented in hardware only. Therefore, security may be improved asmodifying or violating the hardware implemented attributes may besubstantially more difficult. Further, performance may be improved asperforming operations directly via hardware logic may requiresubstantially fewer execution cycles than performing the operations viasoftware.

Referring now to the drawings, FIG. 1 is an example block diagram of acryptographic device 100. The cryptographic device 100 may be includedin any type of device performing cryptographic operations, such as asecure microprocessor, a notebook computer, a desktop computer, anall-in-one system, a slate computing device, a portable reading device,a wireless email device, a mobile phone, and the like. In the embodimentof FIG. 1, the device 100 includes an attribute module 110 and acomparison module 120.

The attribute and comparison modules 110 and 120 may include, forexample, a hardware device including electronic circuitry forimplementing the functionality described below, such as a register orBoolean logic. In addition or as an alternative, the attribute andcomparison modules 110 and 120 may be implemented as a series ofinstructions encoded on a machine-readable storage medium and executableby a processor.

The attribute module 110 is to receive a process identifier (PID) from acrypto process 130. The PID identifies the crypto process 130 requestinga cryptographic operation. The attribute module 110 is to determine atleast one allowed cryptographic operation associated with the PID. Thecomparison module 120 is to compare the requested cryptographicoperation to the at least one allowed cryptographic operation output bythe attribute module 110, to determine if the requested cryptographicoperation is allowable. The term cryptographic operation may refer toany to type of procedure related to encryption and/or decryption ofinformation, such as data or code. The term process may refer to anypart of a computer program or instance thereof. Embodiments of theattribute and comparison modules 110 and 120 will be explained ingreater detail with respect to FIG. 2.

FIG. 2 is another example block diagram of a cryptographic device 200.The cryptographic device 200 may be included in any type of deviceperforming cryptographic operations, such as a secure microprocessor, anotebook computer, a desktop computer, an all-in-one system, a slatecomputing device, a portable reading device, a wireless email device, amobile phone, and the like.

In the embodiment of FIG. 2, the device 200 includes an attribute module210, a comparison module 220, a crypto module 230 and a secure keymemory 240. The attribute and comparison modules 210 and 220 of FIG. 2may be similar to the attribute and comparison modules 110 and 120 ofFIG. 1.

The attribute module 210, the comparison module 220 and the cryptomodule 230 may include, for example, hardware devices includingelectronic circuitry for implementing the functionality described below.In addition or as an alternative, each module may be implemented as aseries of instructions encoded on a machine-readable storage medium andexecutable by a processor. The secure key memory 240 may be part of amachine-readable storage medium, such as any type of electronic,magnetic, optical, or other physical storage device capable of storinginformation, like data or instructions. Example of the machine-readablestorage medium include Random Access Memory (RAM), an ElectricallyErasable Programmable Read-Only Memory (EEPROM), a storage drive, aCompact Disc Read Only Memory (CD-ROM), and the like.

In FIG. 2, the attribute module 210 receives a key identifier (KID) froma crypto process 250 requesting a cryptographic operation, where the KIDis a reference to a key value. Alternatively, in another embodiment, theattribute module 210 may instead receive the key value itself. Theattribute module 210 also receives the PID of the crypto process 250. Asnoted above, the PID provides the identity of the crypto process 250.Each process and/or type of process may have a different PID. Theattribute module 210 determines at least one allowed cryptographicoperation associated with the received PID and KID, as described infurther detail below.

The comparison module 220 receives process attributes from the cryptoprocess 250 related to the requested cryptographic operation andreceives allowed attributes related to the at least one allowedcryptographic operation. As shown in FIG. 2, the process and allowedattributes each include an algorithm, a mode, and an application field.The application field may indicate a type or use of the information uponwhich the requested cryptographic operation is to be performed.

The algorithm field may include a symmetric or asymmetric key algorithm.Examples of symmetric algorithms include Twofish, Serpent, AES(Rijndael), Blowfish, CASTS, RC4, 3DES, IDEA and the like. Examples ofasymmetric algorithms include Diffie-Hellman key exchange protocol,Digital Signature Standard (DSS), EIGamal, Paillier cryptosystem, RSAencryption algorithm and Cramer-Shoup cryptosystem, and the like. Thealgorithm field may indicate a type of encryption or decryptionprocedure to be performed.

The mode field may include a block or stream cipher mode. Examples ofblock cipher mode include Electronic codebook (ECB), Cipher-blockchaining (CBC), Propagating cipher-block chaining (PCBC), Cipherfeedback (CFB), Output feedback (OFB), Counter (CTR) mode and the like.Examples of stream cipher mode include synchronous andself-synchronizing stream ciphers, such as RC4, A5/1, A5/2, Chameleon,FISH, Helix, ISAAC, MUGI, Panama, Phelix, Pike, SEAL, SOBER, SOBER-128,WAKE and the like. The mode field may relate to a type of procedure forenabling the repeated and secure use of the algorithm using the same keyvalue. While the process and allowed attributes are described asincluding the algorithm, mode and application fields, embodiments mayalso include different types of cryptographic information.

In one embodiment, the attribute module 210 may include a plurality ofattributes lists. Each of the attributes lists may include thealgorithm, mode, and application fields. Further, each of the allowedattributes lists may be associated with at least one of a plurality ofthe PIDs. Also, each of the allowed attributes lists may be associatedwith at least one of a plurality of the KIDs. While the attributes listsare described as including the algorithm, mode, and application fields,embodiments are not limited thereto. For example, the attributes listsmay include various types and/or number of attributes. For instance, atleast one of the attributes lists may include only one field or even nofields.

The attribute module 210 outputs one of the attributes lists as theallowed attributes to the comparison module 220 based on the receivedPID and the received the KID. In an embodiment, the algorithm, mode, andapplication fields may be multi-bit fields. Each of the bits of thealgorithm field of the process and allowed attributes may correspond toone of a plurality of different types of cryptographic algorithms, suchas those described above. Similarly, each of the bits of the mode fieldof the process and allowed attributes may correspond to one of aplurality of different types of cryptographic modes, such as thosedescribed above. Further, each of the bits of the application field ofthe process and allowed attributes may correspond to one of a pluralityof different types of application uses. Examples of differentapplication uses may include a type of source or destination of theinformation, such as an external memory destination or a key valuesource. However, embodiments are not limited thereto. For example,different application uses may include a type of the information, a typeof the user, a type of application requesting the cryptographicoperation, a time of the request, and the like.

Depending on the attributes associated with the PID and KID, more thanone bit may be set for any one of the multi-bit fields of the algorithm,mode, and application fields of the allowed attributes output by theattribute module 210. For example, more than one bit may be set for thealgorithm field if the crypto is process is allowed to use more thantype of algorithm for the key value associated with the KID.Nonetheless, the crypto process may only request one type ofcryptographic operation at a time. Thus, only one of the bits may be setfor each of the algorithm, mode, and application fields of the processattributes output by the crypto process.

In another embodiment, the attribute module 210 may output or allowaccess to the plurality of attributes lists and the plurality of KIDsassociated therewith to the crypto process 250. As a result, the cryptoprocess 250 may select from one of the plurality of KIDs to output tothe attribute module 210 based on the allowed one or more operations orattributes associated with each of the KIDs. Thus, the crypto process250 may more efficiently select the KID based on knowledge of thecryptographic operations allowable to the crypto process 250 for a givenKID.

In FIG. 2, the comparison module 220 is shown to include a plurality ofbitwise AND gates 221-223. Each of the bitwise AND gates 221-223 bitwiselogically ANDs one of the algorithm, mode, and application fields of theprocess attributes with that of the allowed attributes. For example, thefirst bitwise AND gate 221 bitwise logically ANDs the m-bit applicationfield of the allowed attributes received from the attribute module 210with the m-bit application field of the process attributes received fromthe crypto process 250, where m is a natural number. The second bitwiseAND gate 222 bitwise logically ANDs the n-bit mode field of the allowedattributes received from the attribute module 210 with the n-bit modefield of the process attributes received from the crypto process 250,where n is a natural number. The third bitwise AND gate 223 bitwiselogically ANDs the o-bit algorithm field of the allowed attributesreceived from the attribute module 210 with the o-bit algorithm field ofthe process attributes received from the crypto process 250, where o isa natural number.

The comparison module 220 also includes a plurality of OR gates 224-226.Each of the OR gates 224-226 logically ORs an output of one of thebitwise AND gates 221-223. For example, the first OR gate 224 logicallyORs the m-bit output of the first AND gate 221. The second OR gate 225logically ORs the n-bit output of the second AND gate 222. The third ORgate 226 logically ORs the o-bit output of the third AND gate 223. If anoutput of the first OR gate 224 is a logic one or high, then thisindicates that the requested application by the crypto process 250 is anallowed application use. Otherwise, if the output of the first OR gate224 is a logic zero or low, then this indicates that the requestedapplication by the crypto process 250 is not an allowed application use.An output of the second and third OR gates 225 and 226 may indicatesimilar results with respect to the requested algorithm and mode by thecrypto process 250.

The comparison module 220 further includes a first AND gate 227 tologically AND an output of the plurality of OR gates 224-226. If anoutput of the first AND gate 227 is a logic one or high, then thisindicates that the algorithm, mode and application requested by thecrypto process 250 is an acceptable combination, and thus an allowablecryptographic operation. Conversely, if the output of the first AND gate227 is a logic zero or low, then this indicates that the algorithm, modeand application requested by the crypto process 250 is not an acceptablecombination, and thus not an allowable cryptographic operation.

The output of the first AND gate 227 is output to the crypto process 250as a success signal to indicate whether the requested cryptographicoperation is to be performed. For example, if the success signal is at alogic one or high, then the crypto process 250 is notified that therequested cryptographic operation is an allowable cryptographicoperation and will be performed. Otherwise, if the success signal is ata logic zero or low, then the crypto process 250 is notified that therequested cryptographic operation is not an allowable cryptographicoperation and will not be performed.

The output of the first AND gate 227 is also input to a second AND gate228 of the comparison module 220. The second AND gate 228 logically ANDsthe output of the first AND gate 227 with a first start signal output bythe crypto process 250 to output a second start signal. The first startsignal indicates a time at which the crypto process 250 seeks to startthe requested cryptographic operation. Hence, the second AND gate 228will output the second start signal at a logic one or high, when therequested cryptographic operation is allowable and to ready to begin.

The output of the second AND gate 228 is output to crypto module 230.The crypto module 230 also receives the process attributes, such as thealgorithm, mode and application fields, from the crypto process 250.Further, the crypto module 230 receives length, source and destinationfields from the crypto process 250. The length field indicates a lengthof the information to be operated upon. The source field indicates alocation, such as a pointer, of the information to be operated upon. Thedestination field indicates a location, such as a pointer, at which theinformation is to be written to after being operated upon.

The secure key memory 240 may store a plurality of key values. Further,the secure key memory may output one of the plurality of key values tothe crypto module 230 in response to receiving one of the plurality ofKIDs from the attribute module 210. Each of the key values may beassociated with at least one of the KIDs. In FIG. 2, the key value isoutput to the crypto module 230 via the attribute module 210. However,embodiments may also include the KID being directly received by thesecure key memory 240 and/or key value being directly output from thesecure key memory 240 to the crypto module 230. In other embodiments,the secure key memory 240 may be excluded and the plurality of keyvalues may be stored directly at the attribute module 210. Storing theplurality of key values at the secure key memory 240 may preventseparation between the plurality of key values, simplify key managementand/or reduce the likelihood of corruption or leaking of the key values.

A supervisory process 260 may set at least one of the plurality of theattributes lists at the attribute module 210. For example, thesupervisory process 260 may add, modify or delete attributes lists. Thesupervisory process 260 may also add key values to the secure key memory240. In order to improve security, the supervisory process 260 may beseparate from the crypto process 250 and the crypto process 250 may notgenerally set any of the plurality of the attributes lists. However, inan embodiment, the crypto process 250 may add an attributes list to theattribute module 210 that is associated with a key value added to thesecure key memory 240 by the crypto process 250.

Upon receiving the length, source and destination fields, the key value,the process parameters and the second start signal, the crypto module230 performs the requested cryptographic operation, if the second startsignal is at the logic high, thus indicating that the requestedcryptographic operation is allowable and ready to begin.

FIG. 3 is an example block diagram of a computing device 300 includinginstructions for comparing requested and allowed cryptographicoperations. In the embodiment of FIG. 3, the computing device 300includes a processor 310 and a machine-readable storage medium 320. Themachine-readable storage medium 320 further includes instructions 322,324, 326 and 328 for comparing requested and allowed cryptographicoperations.

The computing device 300 may be, for example, a chip set, a notebookcomputer, a slate computing device, a portable reading device, awireless email device, a mobile phone, or any other device capable ofexecuting the instructions 322, 324, 326 and 328. In certain examples,the computing device 300 may include or be connected to additionalcomponents such as memories, sensors, displays, etc.

The processor 410 may be, at least one central processing unit (CPU), atleast one semiconductor-based microprocessor, at least one graphicsprocessing unit (GPU), other hardware devices suitable for retrieval andexecution of instructions stored in the machine-readable storage medium320, or combinations thereof. The processor 410 may fetch, decode, andexecute instructions 322, 324, 326 and 328 to implement encrypting ordecrypting of information. As an alternative or in addition toretrieving and executing instructions, the processor 310 may include atleast one integrated circuit (IC), other control logic, other electroniccircuits, or combinations thereof that include a number of electroniccomponents for performing the functionality of instructions 322, 324,326 and 328.

The machine-readable storage medium 320 may be any electronic, magnetic,optical, or other physical storage device that contains or storesexecutable instructions. Thus, the machine-readable storage medium 420may be, for example, Random Access Memory (RAM), an ElectricallyErasable Programmable Read-Only Memory (EEPROM), a storage drive, aCompact Disc Read Only Memory (CD-ROM), and the like. As such, themachine-readable storage medium 320 can be non-transitory. As describedin detail below, machine-readable storage medium 320 may be encoded witha series of executable instructions encrypting or decryptinginformation.

Moreover, the instructions 322, 324, 326 and 328 when executed by aprocessor (e.g., via one processing element or multiple processingelements of the processor) can cause the processor to perform processes,such as, the process of FIG. 4. For example, the receive instructions322 may be executed by the processor 310 to receive process parametersdefining a requested cryptographic operation by a process. The processparameters may include a process ID (PID) identifying the process and akey identifier (KID) referencing a key value. The select instructions324 may be executed by the processor 310 to select one of a plurality ofattributes lists based on the PID and the KID. The selected attributeslist defines at least one allowed operation. The compare instructions326 may be executed by the processor 310 to compare the selectedattributes list to at least part of the process parameters. Thedetermine instructions 328 may be executed by the processor 310 todetermine if the at least one allowed operation includes the requestedcryptographic operation, based on the comparison.

The machine-readable storage medium 320 may also include instructions(not shown) to allow a crypto module (not shown) to perform therequested cryptographic operation if the at least one allowed operationincludes the requested cryptographic operation, and to alert the processthat the requested cryptographic operation is not performed if the atleast one allowed operation does not include the requested cryptographicoperation. An operation of the device 300 may be described in moredetail with respect to FIG. 4.

FIG. 4 is an example flowchart of a cryptographic method 400. Althoughexecution of the method 400 is described below with reference to thedevice 100, other suitable components for execution of the method 400can be utilized, such as the device 200. Additionally, the componentsfor executing the method 400 may be spread among multiple devices (e.g.,a processing device in communication with input and output devices). Incertain scenarios, multiple devices acting in coordination can beconsidered a single device to perform the method 400. The method 400 maybe implemented in the form of executable instructions stored on amachine-readable storage medium, such as storage medium 320, and/or inthe form of electronic circuitry.

At block 405, the device 100 receives a process identifier (PID)identifying a crypto process 130 requesting a cryptographic operationand a key identifier (KID) associated with the crypto process 130. Then,at block 410, the device 100 selects one of a plurality of attributeslists based on the received PID and KID. Each the attributes lists areassociated with at least one of a plurality of PIDs and at least one ofa plurality of KIDs. Next, at block 415, the device 100 receives processattributes indicating the requested cryptographic operation of thecrypto process 130.

As noted above, the process attributes and each of the attributes listsinclude an algorithm, a mode, and an application field. The applicationfield indicates a type or use of the information upon which therequested cryptographic operation is to be performed. As also notedabove, the algorithm, mode, and application fields may include aplurality of bits. Only one of the bits may set for each of thealgorithm, mode, and application fields of the process attributes, whileat least one of bits may be set for each of the algorithm, mode, andapplication fields of the allowed attributes. The bits of the algorithm,mode and application fields are set to indicate a corresponding type ofallowable algorithms, modes and applications.

Lastly, at block 420, the device 100 compares the received processattributes to allowed attributes included in the selected attributeslist to determine if the requested cryptographic operation is allowable.The allowed attributes indicate at least one allowed cryptographicoperation of the crypto process 130.

According to the foregoing, embodiments provide a method and/or devicefor reducing a likelihood of tampering with cryptographic attributesassociated with key values or KIDs. For example, a comparison module maycompare a cryptographic operation requested by a crypto process withcryptographic operations that are allowed for a given key value, todetermine whether the requested cryptographic operation is allowable.Further, key values and attributes associated therewith may be accessedand/or stored separately from the crypto process to provide greatersecurity.

We claim:
 1. A device comprising: an attribute module to receive aprocess identifier (PID) identifying a process requesting acryptographic operation, the attribute module to determine at least oneallowed cryptographic operation associated with the PID; and acomparison module to compare the requested cryptographic operation tothe at least one allowed cryptographic operation, to determine if therequested cryptographic operation is allowable.
 2. The device of claim1, wherein, the attribute module further receives at least one of a keyvalue and a key identifier (KID), where the KID is a reference to thekey value, and the attribute module further determines the at least oneallowed cryptographic operation associated with the received PID and thereceived at least one of the key value and the KID.
 3. The device ofclaim 2, wherein, the comparison module receives process attributesrelated to the requested cryptographic operation and receives allowedattributes related to the at least one allowed cryptographic operation,the process and allowed attributes each include at least one of analgorithm, a mode, and an application field, and the application fieldindicates at least one of how and where the requested cryptographicoperation is to be performed on data.
 4. The device of claim 3, wherein,the attribute module includes a plurality of attributes lists, each ofthe attributes lists include the algorithm, mode, and application field,each of the allowed attributes lists is associated with at least one ofa plurality of the PIDs, each of the allowed attributes lists isassociated with at least one of a plurality of the KIDs and the keyvalues, and the attribute module outputs one of the attributes lists asthe allowed attributes based on the received PID and the received atleast one of the key value and the KID.
 5. The device of claim 4,further comprising: a crypto module to receive the process attributesfrom the process, wherein the comparison module indicates to the processthat the requested cryptographic operation was not performed, if thecomparison module determines that the requested cryptographic operationis not allowable
 6. The device of claim 5, wherein the crypto moduleperforms the requested cryptographic operation if the comparison moduledetermines that the requested cryptographic operation is allowable. 7.The device of claim 6, wherein, the algorithm, mode, and applicationfields are multi-bit fields, the comparison module includes a pluralityof bitwise AND gates, each of the bitwise AND logic gates to bitwiselogically AND one of the algorithm, mode, and application field of theprocess attributes with that of the allowed attributes, and thecomparison module includes a plurality of OR gates, each of the OR gatesto logically OR an output of one of the bitwise AND gates, and thecomparison module includes an AND gate to logically AND an output of theplurality of OR gates.
 8. The device of claim 7, wherein only one of thebits is set for each of the algorithm, mode, and application fields ofthe process attributes, each of the bits of the algorithm field of theprocess and allowed attributes corresponds to one of a plurality ofdifferent types of cryptographic algorithms, each of the bits of themode field of the process and allowed attributes corresponds to one of aplurality of different types of cryptographic modes, and. each of thebits of the application field of the process and allowed attributescorresponds to one of a plurality of different types of applicationuses.
 9. The device of claim 6, further comprising: a secure key memoryto store the plurality of key values, wherein the secure key memoryoutputs one of the plurality of key values to the crypto module inresponse to receiving one of the plurality of KIDs from the attributemodule, a supervisory application is to set at least one of theplurality of the attributes lists, and the process is to only add anattributes list associated with a first key value of the plurality ofkey values if the process added the first key value to the securememory.
 10. The device of claim 9, wherein, the attribute module is tooutput the plurality of attributes lists and the plurality of KIDsassociated therewith to the process, and the process is select one ofthe plurality of KIDs to output to the attribute module based on theallowed one or more operations associated with the plurality ofattributes lists and the KIDs.
 11. A cryptographic method, comprising:receiving a process identifier (PID) identifying a process requesting acryptographic operation and a key identifier (KID) associated with theprocess; selecting one of a plurality of attributes lists based on thereceived PID and KID, each the attributes lists to be associated with atleast one of a plurality of PIDs and at least one of a plurality ofKIDs; receiving process attributes indicating the requestedcryptographic operation of the process; and comparing the receivedprocess attributes to allowed attributes included in the selectedattributes list to determine if the requested cryptographic operation isallowable, the allowed attributes to indicate at least one allowedcryptographic operation of the process.
 12. The method of claim 11,wherein the process attributes and each of the attributes lists includean algorithm, a mode, and an application field, and the applicationfield indicates at least one of how and where the requestedcryptographic operation is to be performed on information.
 13. Themethod of claim 12, wherein the algorithm, mode, and application fieldsinclude a plurality of bits, only one of the bits is set for each of thealgorithm, mode, and application fields of the process attributes, atleast one of bits is set for each of the algorithm, mode, andapplication fields of the allowed attributes, and the bits of thealgorithm, mode and application fields are set to indicate acorresponding type of allowable algorithms, modes and applications. 14.A non-transitory computer-readable storage medium storing instructionsthat, if executed by a processor of a device, cause the processor to:receive process parameters defining a requested cryptographic operationby a process, the process parameters including a process ID (PID)identifying the process and a key identifier (KID) referencing a keyvalue; select one of a plurality of attributes lists based on the PIDand the KID, the selected attributes list to define at least one allowedoperation; compare the selected attributes list to at least part of theprocess parameters; and determine if the at least one allowed operationincludes the requested cryptographic operation, based on the comparison.15. The non-transitory computer-readable storage medium of claim 14,further comprising instructions that, if executed by the processor,cause the processor to: allow a crypto module to perform the requestedcryptographic operation if the at least one allowed operation includesthe requested cryptographic operation; and alert the process that therequested cryptographic operation is not performed if the at least oneallowed operation does not include the requested cryptographicoperation.